diff options
author | Chris PeBenito <pebenito@ieee.org> | 2021-09-08 10:53:44 -0400 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2021-10-31 15:45:37 -0700 |
commit | 9f33ba86aae719abf00b46a26fff3fee5e723719 (patch) | |
tree | 028c3fa9d515e75b0a5cc22e9d9f94aca1969a16 /Changelog | |
parent | Bump module versions for release. (diff) | |
download | hardened-refpolicy-9f33ba86aae719abf00b46a26fff3fee5e723719.tar.gz hardened-refpolicy-9f33ba86aae719abf00b46a26fff3fee5e723719.tar.bz2 hardened-refpolicy-9f33ba86aae719abf00b46a26fff3fee5e723719.zip |
Update Changelog and VERSION for release 2.20210908.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'Changelog')
-rw-r--r-- | Changelog | 147 |
1 files changed, 147 insertions, 0 deletions
@@ -1,3 +1,150 @@ +* Wed Sep 08 2021 Chris PeBenito <pebenito@ieee.org> - 2.20210908 +Andreas Freimuth (2): + Prefer user_fonts_config_t over xdg_config_t + Set user_fonts_config_t for conf.d + +Chris PeBenito (76): + rpc: Move lines. + selinux: Add a secure_mode_setbool Boolean. + Remove additional unused modules + Rules.modular/Rules.monolithic: Fix intdented labeling statement moves. + selinux: Change generic Boolean type to boolean_t. + selinux: Set regular file for labeled Booleans genfscons. + selinux: Add dontaudits when secure mode Booleans are enabled. + kernel: Add dontaudits when secure_mode_insmod is enabled. + authlogin: Add tunable for allowing shadow access on non-PAM systems. + authlogin: Remove redundant rule in auth_domtrans_chk_passwd(). + Create stale.yml + stale.yml: Fix labels with spaces. + authlogin: Deprecate auth_domtrans_chk_passwd(). + init: Add support for systemd StandardInputText. + .gitignore: Ignore vscode data dir. + .gitignore: Remove duplicate lines. + Revert "systemd.if minor fix" + systemd: Drop second parameter in systemd_tmpfilesd_managed(). + staff, sysadm, unprivuser: Move lines. + xserver: Move fc lines. + radvd: Whitespace fix. + virt: Move lines. + Bump module versions for release. + +Christian Göttsche (1): + Use correct interface or template declaration + +Dave Sugar (2): + systemd.if minor fix + Resolve when building monolithic on RHEL7 + +Fabrice Fontaine (5): + policy/modules/services/minidlna.te: make xdg optional + policy/modules/services/ftp.te: make ssh optional + policy/modules/services/cvs.te: make inetd optional + policy/modules/services/ifplugd.te: make netutils optional + policy/modules/apps/wireshark.te: make xdg optional + +Jonathan Davies (13): + staff.te: Allow staff access to the virt stream, needed for when the + sockets are access remotely over SSH. + logging.if: Added interfaces for watching all and audit logs. + roles: Added log watching permissions to secadm and sysadm. + irc.te: Allow irc_t access to unix_dgram_socket sendto to allow clients to + connect to a SOCKS proxy. + screen.if: Added interface to allow executing sock file. + irc.te: Allowed client access to screen runtime sock file. + dmesg.te: Added files_read_etc_files() as some distros store terminfo + files in /etc/. + devices.fc: Added missing Xen character files. + sysadm.te: Allow sysadm_t to read/write Xen character devices so userspace + tooling works. + sysnetwork: dhcpc_t: Added corenet_sendrecv_icmp_packets() + radvd.te: Added corenet_sendrecv_icmp_packets(). + dhcp.te: Added corenet_sendrecv_icmp_packets(). + virt: Defined a virt_common_runtime_t type for the new common/system.token + file and added permissions to virtd_t and virtlogd_t. + +Kenton Groombridge (36): + dovecot, postfix: add missing accesses + various: systemd user fixes and additional support + systemd, fail2ban: allow fail2ban to watch journal + fail2ban: allow reading vm overcommit sysctl + usbguard: various fixes + redis: allow reading certs + rngd: allow reading sysfs + getty: various fixes + modutils: allow kmod to read src_t symlinks + devices, userdomain: dontaudit userdomain setattr on null device nodes + spamassassin: allow rspamd to read network sysctls + redis: allow reading net and vm overcommit sysctls + devices, userdomain: dontaudit userdomain setattr on null device nodes + files, init, systemd: various fixes + ssh: allow ssh_keygen_t to read localization + devicekit: allow devicekit_disk_t to setsched + udev: various fixes + init: modify interface to allow reading all pipes + iptables: allow reading initrc pipes + wireguard: allow running iptables + bootloader, filesystem: various fixes for grub + mount: allow getattr on dos filesystems + init, mount: allow systemd to watch utab + init, systemd: allow logind to watch utmp + logging: allow auditd to use nsswitch + logging: allow auditd to getattr on audisp-remote binary + systemd: allow systemd-resolved to manage its own sock files + systemd: add policy for systemd-sysctl + init, udev: various fixes for systemd + udev: allow systemd-vconsole-setup to sys_tty_config + various: several dontaudits + sysadm, systemd: various fixes + authlogin: add new type for pwd.lock and others + init: allow systemd to rw shadow lock files + filesystem, init: allow systemd to create pstore dirs + bootloader, devices: dontaudit grub writing on legacy efi variables + +Krzysztof Nowicki (15): + Fix interface naming convention (plural predicates) + Allow systemd to relabel startup-important directories + Allow execution of shell-scripted systemd generators + Also grant directory permissions in sysnet_manage_config + Allow use of systemd UNIX sockets created at initrd execution + Fix systemd-journal-flush service + Allow systemd-tmpfilesd populating of /var/lib/dbus + When using systemd_tmpfilesd_managed also grant directory permissions + Enable factory directory support in systemd-tmpfilesd + Allow systemd-tmpfilesd to relabel generic files inside /etc + Allow systemd-tmpfilesd to set attributes of /var/lock + Mark lvm_lock_t as systemd_tmpfilesd-managed + Allow systemd-tmpfilesd handle faillog directory + Fix setting-up sandbox environment for systemd-networkd + Allow systemd-tmpfilesd to access nsswitch information + +Markus Linnala (13): + policy: init: there is no enabled_mls, it is enable_mls + policy: files: files_spool_filetrans: doc: change param from file to + file_type + policy devices: dev_filetrans: doc: change param from file to file_type + policy gnome: gnome_dbus_chat_gconfd: doc: does not have 1st param of + role_prefix + policy chromium: chromium_tmp_filetrans: doc: add missing 2nd param + documentation + policy gpg: doc: add documents for all *filterans parameters + policy seunshare: seunshare_role: parameters usage partially mixed + policy kismet: kismer_role: parameter order mixed in kismet_run + policy: interfaces: doc: indent param blocks consistently + policy avahi: avahi_filetrans_pid: doc: add missing params + policy: xserver: xserver_dbus_chat: fix require + policy:ssh: ssh_server_template: fix require + policy: files: files_get_etc_unit_status/files_{start,stop}_etc_service: + fix require + +Russell Coker (1): + blkmapd + +Xiongwei Song (1): + Add ubifs to filesystem policy + +Yi Zhao (1): + roles: move dbus_role_template to userdom_common_user_template + * Wed Feb 03 2021 Chris PeBenito <pebenito@ieee.org> - 2.20210203 (GalaxyMaster) (1): added policy for systemd-socket-proxyd |